how cyber-attacks can impact m2m

Remote Control and Device Security: How Cyber-Attacks Can Impact M2M. Dr. Christoph Peylo, VP Deutsche Telekom Innovation Laboratories

London, 22nd -23rd May 2013

TELEKOM INNOVATION LABORATORIES 5/20/2013 - public - 2

CONTENTS.

1. Short company profile.

2. The world in which we are living: a network under permanent attack.

3. M2M vulnerabilities and exploits.

4. A remedy.

5. Wrap-up.


Short company profile.

TELEKOM INNOVATION LABORATORIES

Deutsche Telekom – profile.

5/20/2013 - public - 4


Focus on innovation.

5/20/2013 - public - 5


Trends & technologies.

5/20/2013 - public - 6


The world in which we are living… A network under permanent attack


„Sicherheitstacho“ reveals attacks.

5/20/2013 - public - 8


• End devices

• Direct attacks against customer devices, e.g. mobile phones, routers, set top box, etc.

• Indirect attacks via malicious applications that compromise the user’s privacy and the corporate’s intellectual assets.

• Operations

• Organized attacks (APTs) against infrastructure to impact operations, e.g. with DOS attacks or data theft.

• Damaged servers or system components.

• Attacks against business processes.

• Infrastructure

• Infrastructure components (e.g. routers, and gateways) may be attacked by 3rd parties due to backdoors/vulnerabilities in the hard- or software.

• Attacks against infrastructure by exploiting various vulnerabilities in protocols (GSM, etc..)

Non-exhaustive list of current security risks.

Operator`s view.


attack vectors against M2M infrastructure.

5/20/2013 - public - 10


M2M vulnerabilities and exploits. Getting remote access and control.


Device Attacks: Security hole in printers.

In November 2011 HP's printer division has confirmed a vulnerability in older Laserjet printers that allows attackers to install specially crafted firmware on devices. The issue exists because updates for older models are deployed without digital signatures, which means that the printers will accept and install any firmware .

• The software can also be updated remotely, allowing attackers to gain control of a printer by injecting code.

• Researchers at Columbia University managed to use specially crafted software to overheat a printer's fuser, which could, potentially, even cause fires.

In November 2012 US-CERT has warned of an administrator account in printers made by Samsung that allows an attacker to take full control of the devices. The account was a hard-coded community string with full SNMP read and write access. This account remained active, even when SNMP was disabled in the printer's administration interface.

In March 2013 US-CERT issued a similar warning: a number of HP LaserJet printers could be accessed through the network and unencrypted data could be read from them without authentication. Source: http://www.h-online.com/security/news/item/Samsung-network-printer-vulnerability-discovered-Update-2-1757967.html

Source: http://www.h-online.com/security/news/item/HP-Laserjet-printer-security-problems-1387374.html


Device Vulnerability: Security hole in heating.

Problem occurred in April 2013 with a small-scale combined heat and power unit that uses natural gas to provide heating and power for one or two family homes. The system is connected to the internet and provides a web interface that allows home owners to remotely control the heating in their house.

• A security hole in this web interface makes it easy to access plain text passwords for the systems.

• Attackers may turn the system off and potentially even damage the system in the process.

• The manufacturer recommends physically disconnecting the affected products from the network until a service technician can fix them on site.

Source: http://www.h-online.com/security/news/item/Security-hole-can-damage-heating-systems-1842489.html


Device Vulnerability: protocol flaws.

The ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), has warned in August 2011 of security vulnerabilities in globally distributed control software for industrial plants. Sunway ForceControl and pNetPower SCADA/HMI applications from the Chinese manufacturer Sunway are affected, and are in use worldwide, in various industries.

Both products have server components which could be remotely compromised by using either HTTP requests (ForceControl) or UDP packets (pNetPower) to induce a heap-based buffer overflow. ICS-CERT says successful exploitation results in denial of service and possible execution of the arbitrary code.

During an IP scan of all possible IPv4 addresses in January 2013, Rapid7 has discovered 40 to 50 million network devices that can potentially be compromised remotely with a single data packet.

All kinds of network-enabled devices including routers, IP cameras, NAS devices, printers, TV sets and media servers are affected. They all have several things in common: they support the Universal Plug and Play network protocol, respond to UPnP requests from the internet, and use a vulnerable UPnP library to do so.

Source : http://www.h-online.com/security/news/item/Millions-of-devices-vulnerable-via-UPnP-Update-1794032.html

Source: http://www.h-online.com/security/news/item/Critical-vulnerability-in-industrial-control-software-1263040.html


Gateway Vulnerability: Unprotected gateways servers. Security expert HD Moore found over 100,000

unprotected terminal servers in April 2013.

Terminal servers are essentially a kind of serial interface that extends into the internet. By accessing a specific TCP port, users can remotely "talk" to the serial port of the device that is connected to it. Often, these devices are control systems or provide maintenance access.

• More than 13,000 provided administrative access without requesting a password.

• 95,000 were exposed to the internet through mobile connections such as GPRS or 3G.

Vulnerable devices are easy to find: Heise Security discovered in April 2013 more than 10,000 potentially vulnerable routers straight away.

Many of the holes can be exploited via the internet, some of them even without authentication.

The holes that were discovered by ISE have been given 17 CVE numbers so far, and a further 21 submissions are currently being investigated.

Source: http://www.h-online.com/security/news/item/Groundhog-day-for-routers-1847381.html Source: http://www.h-online.com/security/news/item/Serial-threat-on-the-internet-1849412.html


Infrastructure Vulnerabilities: Baseband.

Functional view Simplified architecture

AP

P

Connectivity

Service Enablement

Business Framework

Laye

r

Com

mun

icat

ion

Mod

ule

Dev

ice

(Bus

S

yste

ms)

AP

P

AP

P

Interfaces APP Applications

of APPs

Application

procexsor

Digital baseband

processor Analog frontend

Shared memory

Source: Ralf-Philipp Weinmann : Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks


Remedy. Multiple layers of independent security


M2M device M2M device

Aggregation of risks in M2M Infrastructure.

18

Attacks on user data, identity and privacy : such as eavesdropping or masquerading as user revealing data and identification tokens.

Attacks on network, such as impersonation of devices or insertion of rogue devices (leading to unauthorized network access), DoS attacks against networks components.

Attacks on aggregation points: Physical attacks, configuration attacks, compromise of credentials, protocol attacks, e.g. modification of over-the-air device management and traffic protocols.

Attacks on level of M2M device infrastructure: Common threads: reflashing/installation of modified software via physical access to device, taking advantage of valid authentication tokens in manipulated devices

application application

M2M application domain

Service capabilities

Transport networks

M2M gateway

M2M area network

5/20/2013 - public -

http://www.fontblog.de/C1024143296/E1288425958/Media/Totenkop-nach-DIN.jpg







Secure microkernel device architecture.

5/20/2013 - public - 19

Hardware

Trusted separation kernel

Board support package

Runtime

environment Microkernel

Secure boot

loader

Virtualized device drivers

Kernel space

User space

Kernel space Kernel space

User space Modem, FW

Only the Microkernel is privileged in kernel mode, all device drivers and processes run in dedicated non-supervisory execution spaces.

Any process gets assigned with the minimum necessary privileges only.

Any HW addressing and any process-to-process information flow is controlled by the NEAT-Trusted Separation Kernel, therefore is in a position to enforce the Kernel Security Policy.

Drastic reduction of trusted computing base to ca. 40K lines of code. (OSkernel has xx mio lines).

Strict separation and isolation of compartments.

SW -architecture is generic and HW-agnostic.


Only Type-1 virtualization adds security.

5/20/2013 - public - 20

Hypervisor on hardware -> secure Hypervisor on OS level -> not secure

attack vectors

Hardware

Bootloader

Microkernel with type-1 hypervisor

Kernel space

User space

Kernel space Kernel space


Hardware

Bootloader

Kernel space type-12hypervisor

Kernel space User space Kernel space


attack vectors








M2M device M2M device

Microkernel minimizes risks.

21

With the microkernel based architecture that has been developed for T-System‘s SIMKO 3 several independent layers of security provide high protection against external attacks and malicious applications.

This technology is currently being adopted for home gateways and M2M devices, thus, protecting customer equipment from being attacked and controlled remotely.

Thus, this approach has direct impact by securing device and gateways.

Nevertheless, by fully utilizing the means of this approach, using encrypted VPNs to secure backend-services overall system security will improve considerably.

However, security must be designed in end-to-end and, thus, it is not sufficient to focus on a single, even important, component of a distributed system.

application application

M2M application domain

Service capabilities

Transport networks

M2M gateway

M2M area network

5/20/2013 - public -








Wrap-up


• There is no such thing as absolute protection and absolute security. However, there are costs that are associated with attacks. It is rational to assume that an possible attacker will not perform an attack if the costs of the attack are higher than the value of its benefit.

• Thus, the level of security for a device should correspond with the value and sensitivity of the data or services that may be accessed with it.

• However, in Internet-based business the economic costs of security are often distributed away from specific businesses to all users of internet services. Higher level of security are implemented not earlier than costs of fraud (and insurance) are threading existing business.

• Security has to be seen as a feature of a product and service that adds value. Only if there is a clear awareness towards risks and threats, the value of security can be established.

• Due to the fact that professional attackers hide attacks in the ‚background noise‘ of network traffic and that intentionally planted backdoors may be seen as vulnerabilities created by ‚bugs‘, statistically methods and machine learning technologies are becoming increasingly important for security analysis and protection of networks and infrastructure.

Summary.

Sadly, attacks are not exceptions – attacks are normality.

THANK YOU!

how cyber-attacks can impact m2m

Technology